Information and Identity Governance – Identity Credentials

Traditional identity credentialshave been referred to as “something you have, something you know, and something you are” for example a smartcard, a password and a photograph (biometric).

Other forms are being introduced, “something you do” – characteristics of your typing, ”something you have done” – knowledge of your history, “something you prefer” – favourite artist, “something you can access” – ability to receive and respond to an email or SMS message.

Crucial question to consider...

31. Is there a complete taxonomy of identity attributes and credentials with details of the benefits and limitations of each? Can the ontology of identity credentials to cover these new types of credentials?

Metrics – in order to select a good credential scheme, it is desirable that accurate metrics are available. However this is rarely the case. Biometrics have for a long time had metrics of “false accept rate” and “false reject rate”, as a way of measuring and controlling acceptable performance.

These are usually applied to just the biometric element, but to be truly useful should be applied across the whole credential system especially where multi-modal biometrics are used. This should consider different threat models and types of errors. Errors may include system failure errors (biometric device fails to read a biometric, human forgets password, smartcard breaks) – these need empirical evidence from a deployment, not just laboratory experiments. Threat models should include cases where the motivation is to produce a non-match – in an identity parade a criminal may try to create a false negative, in e-banking an attacker may try to generate a denial-of-service by a false negative.

32. Can we design a system that can use the application of metrics to compare different credential schemes?

33. Can we establish and justify the level of device trust in practical use, and provision of metrics?. How easy is it to copy credentials for backup or for fraud? How easy is it to counterfeit or forge credentials? What incentives and technologies affect this?

a. Are current consumer devices adequately secure for credential storage?